Recently, at a rate of about once a day, a new article comes blaming Microsoft for being evil and using their
Secure Boot thingie to monopolize the desktop and prevent Linux from taking over. On top of that, Microsoft
notwithstanding, lots of people are blaming UEFI for not letting them boot various Linux distributions.

I would like to use this opportunity to dispell myths and fears and pure, simple disinformation, as most of the
articles written on this topic are nothing more than FUD designed to generate controversy, traffic and revenue.
So let's see what gives, and why UEFI is all right, and why there is no problem whatsoever.

UEFI at a glance

The acronym stands for Unified Extensible Firmware Interface. It is a standard that defines the interface
between operating systems and platform hardware. Essentially, it replaces BIOS in this function. UEFI is more
modern and supports all kinds of things, like remote connectivity, mouse navigation inside its menus, and
suchlike. You also get support for very large disks, and a whole lot of other services.

Secure boot

Another feature added in version 2.2 of UEFI is Secure Boot. This capability can be used to restrict the
hardware platform to allow booting only operating systems that have a valid digital signature. In a way, this
is somewhat similar to what happens when you connect to HTTPS sites, like your bank.

In the Setup mode, UEFI enumerates the hardware and writes relevant public keys,
known as the Platform keys, to the firmware. In the User mode, it allows only
operating systems that have a matching private key to boot. In most cases, the private key will include the
enumeration of hardware devices and the kernel's digital signature. Hence the term, Secure Boot, because if the
operating system gets changed in a significant way, or the hardware is tampered with, this could be an
indication that something is wrong, and you might not want to boot your machine. In order to allow changes and
kernel updates, additional keys can be stored, but they must be related to the platform key. Moreover, custom
modes allow adding new keys for other operating systems. This is much like the digital certificate of a
website. If the site gets tampered with, the signature will no longer be valid, and you might not want to
proceed.

Microsoft conspiracy, not

And this is where drama begins. Microsoft Windows 8 supports
Secure Boot. However, this feature was instantly publicly subverted into a conspiracy that Microsoft intends
to use the feature to lock out other operating system vendors, namely Linux, from behind able to boot their
stuff on the same hardware.

The question is, why would you be concerned?

Indeed, what's there to worry about? You simply enter your UEFI menu, change the Secure Boot configuration to
either Setup or Custom modes, and make relevant tweaks. And this is where problems start.

Because of the GPL restrictions, it might be impossible to change the GRUB bootloader
to use digital signatures. The exact reasons are not really important, but it has nothing to do with Microsoft.
Furthermore, a generic signing key could be used for the bootloader, which would satisfy the licensing
concerns, but then, how do you persuade OEM to ship this key along with the Microsoft one? Again, nothing to do
with Microsoft.

Lastly, several pre-boot bootloaders are being developed, which would be used for signing, and then handing off
the boot sequence control to GRUB in the normal way. These things are called shims, and there are several
variants in the works. There ought to be an official bootloader out there, now,
do search the Web for more info if you really care. Again, unrelated to any conspiracy theory by Microsoft. And
did I say that Secure Boot can be DISABLED completely, and that this is not a
concern whatsoever? This is the one thing that seems to enrage the crowds most.

Wait, Secure Boot, can it be disabled?

The thing is, Microsoft want platforms shipping Windows RT, which means ARM, which probably means tablets and
smartphones, to have their UEFI locked down in such a way to prevent tampering with the Secure Boot mechanism.
If you think about it more carefully, this is no different than what Apple or Google do with their phones,
where you must load custom firmware to be able to so-call jailbreak them. However, no one clamors about that,
and everyone seems to go wild when Microsoft want to do the same thing.

On the same note, Microsoft also requires OEM vendors to allow full control of the Secure Boot on x86 platforms, which stands for your desktops and laptops
and such. Which brings us to OEM vendors.

OEM vendors

Let's take a look at the market figures. Normally, you will have some uptight MBA graduate strutting up and
down the stage, telling you how excited he is, and emphasizing the word penetration, in regard to markets, that
is. And you may assume that Microsoft wants to fight aggressively for every square millimeter of the proverbial
turf.

Indeed, Microsoft definitely want to ensure their market share. But given the restrictions and lack thereof,
for Windows and Windows RT, there does not seem to be any real problem. Moreover, some simple statistics. 90%
of all computers are running Microsoft Windows, one version or another. Roughly 90% of all computers come
preinstalled, and their users never bother changing anything. Some 90% of people will never think about
dual-booting or using any other operating system other than the usual crap that comes by default. Linux never
was and never is an issue.

On that same note, people who use Linux are savvy, skilled and can easily enter the UEFI menu and make changes
needed to allow dual and triple and whatever booting on their boxes. Most Linux users will also likely purchase
generic hardware, without any operating system installations, so the notion of Secure Boot will never be
raised. Much ado about nothing, but drama is more fun.

The only question you need to be asking yourself is this: On OEM hardware that supports and uses Secure Boot,
and which comes preinstalled with Windows, on which you might intend to use your own operating systems of some
kind, will the vendor respect the requirements and truly allow disabling or modifying the Secure Boot feature?

This is the ONLY relevant question. There's nothing wrong with UEFI and its
capabilities, nor even Microsoft's desires, goals and strategies, nor requirements from the vendors. The only
question is, will these vendors respect the standard or make changes to the UEFI, as to cripple the
functionality and prevent specific user changes? That's the only thing that needs to worry you.

To answer that: Do NOT buy hardware - laptops mostly, that is - which come with
limited or restricted UEFI interface. Do not purchase hardware that could limit your usage models. Make sure
you buy machines that support: 1) Secure Boot changes 2) Legacy mode that emulates old BIOS. That's all you
need to worry about right now.

Why UEFI works fine, examples

I bought two desktops, one in 2011, and another in 2012, virtually identical.
Both come with ASUS boards, and consequently, ASUS firmware. In both cases, the machines use UEFI, and have
support for legacy boot. In both cases, I installed and ran Windows 7, as well as several Linux distributions
without any problems WHATSOEVER. The Secure Boot never came up as an issue, because it is disabled or does not
exist in the menu or who the hell cares. That's all. Choose your hardware carefully, and when you have full
control of your assets, you can make your own modifications any which way you like.

UEFI scare stories

Now, on the far end of the spectrum, you have would-be scary stories about how certain Samsung laptops got
bricked after trying to boot Linux on them. This was instantly turned into another Microsoft conspiracy, until
everyone figured out that Secure Boot was not an issue here. Rather, the incompatibility between the operating
system and the underlying firmware, due to a BUG in firmware, caused the machines
to cease living.

Naturally, people were quick to blame UEFI for being evil. The thing is, the problem manifested only in certain
boot modes, and only with certain versions of Linux. Moreover, stories about bricked hardware are not new.
There have been a million cases like this in the past, sometimes with select items, like DVD burners or
routers, sometimes with whole machines. It happens. There are bugs, and then, they get resolved.

There's nothing wrong with UEFI, or Samsung, or Linux. In certain conditions, when you combine various
components, problems can happen, and they do. The reason this surfaced is most likely because Samsung did not
test Ubuntu or alike on their laptops, which ship preinstalled with
Windows. The same issue might have happened in the factories while assembling these boxes, but Samsung would
have contacted Microsoft and resolved this silently. Well, apparently not,
because the problem manifests in Windows, too. BAM! There goes the conspiracy.

You do not want to know how many hundreds of cases like this happen all the time, with OEM vendors going back
to the operating system and hardware companies, and asking for fixes in the firmware. You really do not want to
know, and you do not need to care, as a customer.

More scare stories

People also clamoring that their systems, with the Secure Boot enabled, would not boot after making changes to
their hardware. Indeed, new hardware components means a new enumeration of the devices, and then the digital
signature hash no longer matches the stored key.

This might be a small problem, but it is also easily resolved. You disable the Secure Boot before making
hardware changes. We go back to OEM vendors respecting the specifications and standard. Frankly, this will most
likely never be an issue of desktops. And with laptops, now really, how often do you change hardware?

Conclusion

UEFI is no devil. It's just different from BIOS, and operating systems will have to be adapted to make use of
its capabilities. Simple. Likewise, the Secure Boot functionality is nothing you should worry about too much.
What you need to do is, make you purchase hardware from vendors that do not treat their customers as a toilet
bowl. That's all.

If you stick by these simple rules and guidelines, your multi-boot experience on hardware with UEFI will be
pleasant and hassle free. One day, Linux distributions will all natively and seamlessly support Secure Boot, so
that one issue will vanish completely, too. Other than that, all the usual applies, including the slight,
remote possibility that your hardware might decide to become a cinder block. But that can happen regardless of
what acronym you choose for the day. Now, enough useless drama.